Government Keynote:

At our first Data Management and Analytics virtual event, Dr. Kate Harrington, Ph.D., Head of Strategic Digital Initiatives, Government Chief Information & Digital Office, Digital NSW presented a case study on using biometrics for secure citizen access in the digital world at Digital NSW

Proof of identity in a digital world

We live in a modern world where people often need to confirm their identities, especially when dealing with the digital world. In many areas, governments have been notoriously slow to innovate, but when it comes to identity verification, they are leading the way. This is particularly the case in NSW. Dr. Kate Harrington, Ph.D., the Head of Strategic Digital Initiatives within the Government Chief Information & Digital Office at Digital NSW, which is part of the Department of Customer Service, says that one of the NSW Premier’s priorities is “around making government easier and having citizens to tell us once.” With that in mind, one of the ways to achieve that goal is through the use of biometric data, which “makes accessing government services easier for citizens.”

When it comes to data verification, there are essential “three possible ways of proving who I say I am: through something I have, like a document or a card; through something that I know, like a name or a password; or through who I am, like fingerprints or facial recognition.” Biometrics is related to the third of these options, and there are a number of reasons why biometrics is the preferred option. Without biometrics, the verification of identity can be time-consuming and often has to be conducted “in service centres in-person.” On top of that, “the transaction is cumbersome both on the part of government and the citizen, and it is not a seamless experience.” In fact, it actually may go against the Premier’s priority since “people may prove who they are to one person but make a payment or interact with another person.” Furthermore, in-person, manual verifications “are not an equitable access solution for people in rural and remote areas of NSW,” and they are also expensive. On an annual basis, there are about “450,000 transactions which roughly cost the state government $4.5 million to process.”

For all of these reasons, biometrics is the best way to verify identities at a government level. In NSW, this is through the use of a product called POI L2+, which is a one-to-one facial recognition and is about “proving to the appropriate level, though a proof of identity (POI) portal, level two plus and beyond.” This is because people often need a “higher level of assurance that you are who you say you are and who you claim to be.” Given the reasons above, the in-person verification methods are not ideal, so biometrics is the way to “enable verifications digitally, and when we do that digitally, we start to really talk about data in a far more realistic way.”

“Unlike other forms of identity, biometrics can’t be forgotten, exchanged, forged or stolen. It is a much more secure form of data for identity proving in the digital world.”

Relating biometrics to data management

Biometrics as a concept may seem esoteric and “quite a complicated piece of work,” but in reality, “it has become quite a natural part of our daily lives.” Most of us use some form of voice, fingerprint, or facial recognition biometrics regularly when we use our phones when we apply multi-factor authentication, or even when we use smart technologies. From a government perspective, using biometrics helps to prove identities, but is also “aligned to the ethics and practices relating to data collection management for use in the real world.” In other words, when design principles are applied, it is very relevant to “information and data management.”

The first of these principles – in priority relevance to data – is informed consent.” This is the concept that any government transaction or use of personal information “must only be used with your consent.” There are privacy regulations related to this as well as “assurances that customers must have control of or access to their identity and credentials at any time.” From a ‘tell us once’ perspective, “we’re talking about a distributed data model,” with biometrics data stored in one place, “accessed at the moment of a transaction, or stored on your own phone or device.” The point is that “customers must know who is using their data and how it is being used so that they can make informed decisions about whether or not they want to participate.” On top of that, “should they not wish to use biometrics, there will always be other channels available, and they may wish to use biometrics for one particular service but not for others.”

The second principle is privacy by design.” This relates to the development of “privacy impact assessments, which are used regularly at the Department of Customer Service to inform how we roll out a project.” They are available to the public and there is “transparency of access through the use of biometrics so that customers have the ability to delete any aspects of their data at any point should they no longer wish to provide their consent to participate.” This is a new concept and a “new way of thinking for government about how we collect, use and manage data.”

The third principle is “being secure and trustworthy.” Proof of identity in a digital framework is closely related to cyber awareness, with “clear rules around biometric data storage, transmission, access, and retention.” For instance, biometric platforms must be resilient to “minimise the risk of hack or forgery,” and they “must not be used to track customers across unrelated services.” On top of that, customers must have “avenues for support, appeal, and recovery of their data.” This is particularly relevant if data is stolen or compromised, and thus the “biometrics technology needs to be fit for business requirements and government services.”

The fourth and final principle is about “being inclusive and user friendly.” In essence, this is about having a “strategy that addresses barriers to inclusion.” In a data context, this means “having platinum standard data controls” so that the data is of a high enough quality to allow “customers to make decisions using that data.”

With these principles in mind, “the transition to the use of biometrics is the next step that we need to take in government.” In many ways, this is about “balancing change, transformation, data literacy and upskilling,” and for the NSW government, there are “three main areas we are looking at, all of which have risks and benefits:”

  • Technical – “Protecting against errors and fraud, and aligned to government strategies.”
  • Customer experience – “We need to be very careful in our communications of what type of biometrics we’re using, and we’re talking only about one-to-one facial matching with the customer’s consent and with them opting in. We’re definitely not talking about identifying people in crowds.”
  • Policy and legal – “This is about developing a robust, future-proof policy framework, and having the potential to create barriers for where we want to take service delivery next.”

Ultimately, all of this is about creating efficiencies and “improving the security of identity information in the digital world,” which is critical to the modern-day use of data and information.